azorult | 1464e7d26d44d7a83f057056954155a3bec0ee3dfebde5bea8e36945e735c79c | Triage

Submit
Reports

Overview

overview

Static

static

PO#181120_pdf.exe

windows7_x64

PO#181120_pdf.exe

windows10_x64

Sharing

General

Target

PO#181120_pdf.exe
Size

591KB
Sample

201118-g4m7q5ged6
MD5

b44d7c5f8bc1eee381699ae6027267b5
SHA1

d47c587ce89d75e93d3fb434f545f4d70e0002c3
SHA256

1464e7d26d44d7a83f057056954155a3bec0ee3dfebde5bea8e36945e735c79c
SHA512

08b1ad833baa70fcf8d3d061a1f8b3a8c135d456b670779e259eeae57967a61e668b1d8cc9523cc37eea7d897f80ec618755a06b9443750a95714c057abbc8d7

Score

10^/10

azorult discovery infostealer persistence spyware trojan

Static task

static1

Behavioral task

behavioral1

Sample

PO#181120_pdf.exe

Resource

win7v20201028

azorult discovery infostealer persistence spyware trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

PO#181120_pdf.exe

Resource

win10v20201028

azorult discovery infostealer persistence spyware trojan

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

azorult

C2

http://binatones.gq/felix/index.php

Targets

- Target
  
  PO#181120_pdf.exe
- Size
  
  591KB
- MD5
  
  b44d7c5f8bc1eee381699ae6027267b5
- SHA1
  
  d47c587ce89d75e93d3fb434f545f4d70e0002c3
- SHA256
  
  1464e7d26d44d7a83f057056954155a3bec0ee3dfebde5bea8e36945e735c79c
- SHA512
  
  08b1ad833baa70fcf8d3d061a1f8b3a8c135d456b670779e259eeae57967a61e668b1d8cc9523cc37eea7d897f80ec618755a06b9443750a95714c057abbc8d7
Score

10^/10

azorult discovery infostealer persistence spyware trojan
- Azorult
  An information stealer that was first discovered in 2016, targeting browsing history and passwords.
  trojan infostealer azorult
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- JavaScript code in executable
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

azorultdiscoveryinfostealerpersistencespywaretrojan

behavioral2

azorultdiscoveryinfostealerpersistencespywaretrojan

© 2018-2024

Terms | Privacy